Loading summary
John Hammond
You're listening to the Cyberwire network powered by N2K.
Dave Bittner
And now a word from our sponsor. Spy Cloud Identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization.
Unknown
Traditional defenses can't keep up.
Dave Bittner
Spy Cloud's holistic identity threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing to neutralize identity based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate darknet exposure report@spycloud.com cyberwire and see what attackers already know. That's spycloud.com cyberwire hello everyone and welcome to the Cyberwires Research Saturday. I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us.
John Hammond
If we see that in a strange or new or different application or program that we don't typically see, we start to get the hunch, hey, there might be some weaknesses, there's a flaw or potential vulnerability in that software. And truth be told, that was the very beginning of the story here. When we saw this detector fire, well that pointed us towards that Center Stack application. And then after we did our homework, did a little bit of research, we see, oh this has just recently been added to the known exploited vulnerabilities database that cism and we're thinking okay, yeah, we're onto something here.
Dave Bittner
That's John Hammond, principal security researcher at Huntress. The research we're discussing today is titled CVE 202530406 Critical Gladonet, Center Stack and Trio Fox Vulnerability Exploited in the Wild.
Unknown
Well for folks who aren't knee deep in exploit detection every I mean it's my understanding from reading the research that it was a PowerShell alert that was part of tripping you off to that there was a problem here, correct?
John Hammond
Any of those sort of hey, on the computer, on the endpoint, typical sort of living off the land is the keyword you tend to hear. But certainly PowerShell or other oftentimes command prompt low level system commands that could be ran well we could see that and we have that visibility and it's definitely something that's an identifier and breadcrumb for us.
Unknown
So at the center of this is CVE 20253406 explain that to us in plain terms. What in particular makes this one dangerous?
John Hammond
Great question and thank you so CVE2025 30406 is the CVE identifier that was assigned to this weakness and vulnerability in gladonet center stack. I'll admit I don't think it particularly covers or really does a good job explaining oh, this affects the trio Fox application just as well. But if you drill down into it, what that really is is what a lot of nerds and geeks call deserialization vulnerability. And that's usually a dangerous one. It's something that, oh, it's taking data or input from the user and then trying to manipulate it or process it in a way that well, could open the door for a little bit of tricks, a little bit of hey, magic something up their sleeve where it will now evaluate and actually execute RAW commands or raw code. But this was all pre authentication. You didn't exactly need a username or password or any credentials to get in the door to be able to access this endpoint. Truth be told, if you just knew the IP address or sort of the domain or website for this application, it's point and shoot. You just say this is who I want to target and then then it's done.
Dave Bittner
Well, let's dig into that a little bit.
Unknown
The research mentions view state deserialization. Can you explain that for us?
John Hammond
Yeah, deserialization is a very well known and especially that View states. I know you mentioned that keyword there. That is a common. I don't know if that's the right word to say that. That's just a well established potential weakness in this specific style or format of applications. It's specific to ASP or ASP NET or ASP aspx. Forgive me, I know the ASP sort of family of different things gets a little wild so it's one of those in that ASP umbrella. But that is native and natural to that language and syntax and code that's used for web applications like this. That view state handles session logic. So anyt that you might be interacting with the website, oh, it's keeping track of, oh, you logged in, you have some information tied to your account properties with your own Persona as you navigate through the pages. But ASP in this view states with its trying to deserialize some data it could absolutely be used and abused.
Unknown
Now this exploit involves hard coded cryptographic keys. Can we dig into that a little bit? Can you unpack that for us?
John Hammond
Yes, and thank you because this is the heart of the issue, the way that view state works and I'm glad we got to the core of it, well, truthfully, it relies on sensitive secrets kind of to be used as the seed or the beginning original value that it will work with for a lot of the crypto math and magic that it uses to compute and work with all the input and output it's handling. Now. The secret is something that should be stored server side. It should be a secret, right? It's not something that'll be in the user's browser. It's going to be way across the Internet, tucked away on the server or the website that you're trying to access. But it needs to be secret. And unfortunately, it seemed that in these gladinet Center Stack and Trio Fox installations, every single installation or copy and running rendition of the server just had the exact same value. It was not changed, it was not rotated, it was not new or dynamic. So if you knew one, you knew all of them. And that way it's not a secret anymore. You could go track down and determine what are those values? What are those magic numbers that will clue us in. To be able to beat up that view state and do this deserialization attack.
Unknown
I mean, it's kind of the keys.
Dave Bittner
To the kingdom, right? Oh, yeah, yeah.
Unknown
You mentioned in the research that you've seen this being used against a handful of organizations already. Are there particular types of organizations we're talking about? Is there any focus here?
John Hammond
Truth be told, I don't think I have a good answer for you right off the cuff. I tend to think, you know, when it comes to vulnerabilities just like this that are pre authentication, immediate jump to code execution and owning or compromising the host, oftentimes threat actors and hackers will just spray and pray. It's kind of an attack of opportunity. Look, if there's anything out and open and exposed on the Internet, well, it's point and shoot, it's open season. Why not just try to get an implant? Why not just try to gain persistence and exploit as much as possible en masse and there's really no specific, oh, is it a sector, is it a certain industry or vertical? It's just whatever's an easy target.
Dave Bittner
What's your sense for how widespread this could be?
John Hammond
Truth be told, this is small. It's small scale, it's very limited. When we got to see some of the footprints or what's accessible out on the open Internet with tools like Census or Shodan, just kind of seeing what's out there while other resources are scanning the Internet, there weren't a lot of these servers out and about. And that's not to say, oh, relative to other cases where you're looking at other software that's ubiquitous, but maybe about 250, 275 or 300 or so servers out and about in the wind. And I'll say what we saw at compromised or now potentially tested in our partner environments, small numbers started at 2, moved to 7, maybe move up to 12 or 24, but that's not zero. And that's more than enough for us to, hey, spring into action.
Dave Bittner
We'll be right back. And now a word from our sponsor, ThreatLocker. Keeping your system secure shouldn't mean constantly reacting to threats. ThreatLocker helps you take a different approach by giving you full control over what software can run in your environment. If it's not approved, it doesn't run. Simple as that.
Unknown
It's a way to stop ransomware and.
Dave Bittner
Other attacks before they start without adding extra complexity to your day. See how ThreatLocker can help you lock down your environment at www.threatlocker.com. foreign Dave here. I've talked about Delete me before and I'm still using it because it still works. It's been a few months now, and I'm just as impressed today as I was when I signed up.
Unknown
Deleteme keeps finding and removing my personal.
Dave Bittner
Information from data broker sites. And they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The Deleteme team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals.
Unknown
DeleteMe also offers solutions for businesses, helping.
Dave Bittner
Companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special deal. 20% off your delete me plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K.
Unknown
Yeah, I mean, I guess on the one hand it's good news that it's not more globally widespread. But on the other hand, if one of those servers happens to be yours, that can make for a bad day.
John Hammond
Yeah, without a doubt.
Unknown
So let's go through a typical attack chain here. Can you walk us through sort of step by step, what the attacker does and what they're trying to accomplish?
John Hammond
I can. And forgive me, I can get as nerdy and geeky and spew as much technobabble as you'd like.
Unknown
Well let's walk the line there knowing that our audience is pretty technical but also, you know, we do have limited time.
John Hammond
No. So let's say you're putting your hacker hat on, you're acting as the adversary and if you're doing your homework, trying to just see track down what are these hard coded secrets or these cryptographic values tucked away in the application center stack or trio Fox, truth be told, you can just kind of hey, grab a free trial of the software off the website, off the Internet and then get it installed and you could see what the values are. And that's the keys of the kingdom, just as you mentioned. So there are and again, truth be told, off the shelf like readily available tools and tooling to be able to test or validate weaknesses like this with view state deserialization in these ASP web apps. Why so serial is what I'm alluding to for again the nerds and geeks listening in. But you can pretty easily weaponize that there are plugins to say let me oh, plug in these right values, those correct sensitive cryptographic keys and then point it to a server. If we wanted to zoom in just a little bit and this is really where the nuance comes in, if I may. There are different endpoints or different addresses like you're accessing the website that will correspond to a different internal configuration file where there might be different view state configuration values. So you as a system owner, as an administrator, maybe the IT or security individual you need to be tracking all of those really, it boils down to just two kind of as we've seen in the wild. But that is where we wanted to get a little bit of the extra messaging out because it's not just one file on your file system, it's something else that you got to keep track of too. And some of the patching or upgrading opportunities that are available to you, I'll admit there was more than one and some of them worked and some of them didn't seem to. So we've seen instances where this software gladonet or Tree or Fox is in air quotes upgraded to the latest version and in air quotes patched. But those sensitive keys still weren't rotated and could still just as easily be exploited. So there are a couple gimmicks and gotchas there that we want wanted to help spread the word for this was just too easily weaponized. But a couple things to still keep an eye out and be aware of.
Unknown
So as the attacker makes their way through their business here, what sort of things do they seem to be focused on?
John Hammond
This one is oftentimes gaining persistence, gaining more implants, access hooks and claws so that they can get back into the environment if, oh, they maybe found a door closed behind them or anything. There's still other opportunities to continue their campaign or work with this later. We had seen Cobalt strike very, very well known and again, common command and control capability and tooling there and others like different remote monitoring and management solutions. Again, nerds and geeks might be familiar with Mesh Central, but you think of that as again just that remote control application that's typically trusted. It's a well known and that's just a third party solution that your antivirus or a lot of security solutions aren't going to complain about because it looks quote unquote normal. It's just how it's used with the intent, with the purpose. But bad actors, well, they have ill intent.
Unknown
Yeah, let's talk detection and response here. I mean what are your recommendations? What should Defenders be looking for in.
Dave Bittner
Their logs or their alerts, you know, those sorts of things?
Unknown
Yeah.
John Hammond
And thank you so much. There is a real, real indicator. There is an artifact that is left behind in the logs. You could drill down and track down the Windows event viewer, the Windows application event log. And if you wanted to be super tactical, one of the event IDs, I believe it's 1316, will just really sound the alarm. It says bright and bold, view state verification failed. Like view state was invalid. Anything curious there? But it'll include the whole payload or the raw dump that's just the encoded commands that could have very well been trying to be executed, trying to be processed, deserialized to run. So if you did a little bit of magic, if you try to decode that data, you could really see smoking gun at the crime scene, what they tried to fire off what they wanted to execute. But that is definitely the key indicator. Look in your logs and try to find those indicators of compromise.
Unknown
You know, you mentioned that there are patches available, but looking at the big picture here, if I discover that a tool, and I'm trying to be non specific here, but if I discover that a tool in my inventory that I count on has hard coded cryptographic keys, is it time for me to maybe be shopping around?
John Hammond
Yeah. Well, I'll put my finger on my nose here. And I know that's really within everyone's personal, your own assessment, your risk model. Right. But hey, in 2025, as we're having a lot of conversations of secure by design, we're Thinking about that supply chain, we're thinking about all the ways that hackers are banging at the door. Yeah. Maybe we can board up the windows and lock the doors a little bit more.
Unknown
Yeah, yeah.
Dave Bittner
What do you hope people take away from this research?
Unknown
Any words of wisdom here?
John Hammond
Well, I think, and forgive me, I know again nerdy geeks, but I think there's been some interesting conversations that followed this because this view state deserialization is as I was alluding to, just a known thing that's established in the information security and information technology ecosystem to the point that this has been around for many years. This is a known weakness and class of vulnerability. So seeing this as we are in today's day and age, the modern world right now, we're kind of scratching our head just as you mentioned, why do we still stuck with this and are there other applications or software that have the same fault? So we saw some write ups and articles from Microsoft. We saw other vendors connectwise making some changes to their screen connect application and other things to try and mitigate this. So. So this glaring potentially open hole is not an attack surface for the future. And I'm glad to see and hear kind of the industry, hey, picking up our ears and looking around and having the wherewithal to say oh yeah, let's get ahead of this so there's not more damage done. We can limit this and focus on that class of vulnerabilities. We really got to make sure we can nip this in the butt.
Dave Bittner
Our thanks to John Hammond from Huntress for joining us. The research is titled Critical gladinat, Center Stack and Trio Fox Vulnerability exploited in the Wild. We'll have a link in the show. Notes this episode was produced by Liz Stokes were mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next time.
Release Date: May 31, 2025
Host: N2K Networks / Dave Bittner
Guest: John Hammond, Principal Security Researcher at Huntress
In this episode of CyberWire Daily's "Research Saturday," host Dave Bittner engages in a deep dive with John Hammond, Principal Security Researcher at Huntress, to discuss a critical vulnerability affecting TrioFox and Gladonet Center Stack. The conversation sheds light on the nature of the vulnerability, its exploitation in the wild, and the broader implications for cybersecurity practices.
Timestamp: [02:06]
John Hammond introduces the vulnerability identified as CVE-2025-30406, affecting Gladonet Center Stack and TrioFox applications. Described as a deserialization vulnerability, this flaw allows attackers to execute arbitrary code without needing authentication credentials.
John Hammond ([02:29]): "This was all pre-authentication. You didn't exactly need a username or password or any credentials to get in the door to be able to access this endpoint."
Deserialization Explained: Deserialization vulnerabilities occur when applications improperly handle user-supplied data, allowing attackers to manipulate serialized objects to execute malicious code. In this case, the vulnerability leverages ASP.NET’s view state deserialization process, which manages session logic for web applications.
John Hammond ([04:33]): "View state handles session logic… deserialization attack."
Timestamp: [05:44]
A critical aspect of CVE-2025-30406 is the use of hard-coded cryptographic keys within the Gladonet Center Stack and TrioFox installations. These keys are intended to secure the view state data during serialization and deserialization.
John Hammond ([05:52]): "The secret is something that should be stored server side… in these Gladinet Center Stack and Trio Fox installations, every single installation had the exact same value."
The reuse of identical cryptographic keys across multiple installations significantly weakens security, as compromising one key compromises all instances using that key.
Timestamp: [11:20]
John Hammond discusses the current exploitation status of the vulnerability, noting that while its spread is limited, it poses a significant threat.
John Hammond ([07:09]): "This is small scale… about 250, 275 or 300 or so servers out and about in the wild."
Although relatively confined, the presence of exploited servers necessitates immediate action to prevent further breaches.
Timestamp: [11:33]
Hammond outlines a typical attack sequence leveraging this vulnerability:
John Hammond ([14:22]): "They can get back into the environment… by using remote monitoring and management solutions."
Timestamp: [15:26]
Effective detection relies on monitoring specific indicators of compromise (IoCs) within system logs. Hammond emphasizes the importance of tracking Windows event logs for anomalies related to view state processing.
John Hammond ([15:29]): "One of the event IDs, I believe it's 1316, will just really sound the alarm. It says view state verification failed."
By identifying such events, security teams can swiftly respond to potential breaches.
Timestamp: [16:28]
Hammond advises organizations to reassess their security posture, especially if they discover hard-coded cryptographic keys within their software stack. Emphasizing secure design principles and vigilant supply chain management is crucial.
John Hammond ([16:51]): "In 2025, as we're having a lot of conversations of secure by design… we got to make sure we can nip this in the butt."
Timestamp: [17:24]
John Hammond underscores the persistence of known vulnerabilities like deserialization flaws and the necessity for continuous vigilance and proactive measures in cybersecurity.
John Hammond ([17:24]): "This is a known weakness and class of vulnerability… we can limit this and focus on that class of vulnerabilities."
The discussion culminates with a call to action for organizations to address such vulnerabilities promptly to safeguard their digital assets.
This episode highlights the critical nature of addressing deserialization vulnerabilities and the importance of secure key management. As cyber threats evolve, continuous research and collaboration among industry experts remain paramount in strengthening defenses and mitigating risks.
For more detailed insights and access to the full research paper, listeners are encouraged to visit the CyberWire website linked in the show notes.